uer spiegei, au uecemDer zvu 

http://www.spieqel.de/netzwelt/netzpolitik/quantumtheorv-wie-die-nsa-weltweit-rechner-hackt-a-941 149.html 
http://www.spieqel.de/fotostrecke/nsa-dokumente-so-uebernimmt-der-qeheimdienst-fremde-rechner-fotostrecke-105329.html 
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(TS) NSA QUANTUM Tasking Techniques 
for the R&T Analyst 
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4 (TS//SI//REL) Only R&T Analysts can submit QUANTUMTHEORY Tasking to the 
QUANTUM team, TOPI Analysts can submit QUANTUMNATION Tasking through 
Target Profiler, The biggest difference is QUANTUMTHEORY deploys a stagel implant 
called validator (soon to be COMMONDEER) and quantumnation deploys a 
stageO implant called SEASONEDMOTH (SMOTH). SMOTHs die within 30 days of 
deployment unless requested to extend the life. 

4 (TS//SI//REL) This presentation does not cover FAA QUANTUM, but if you identify an 
active selector, compare the SIGAD in Marina to the SI GAD on the GO QUANTUM wiki 
page to see if FAA QUANTUM is an option. 

4 (TS//SI//REL) This presentation is geared towards targets seen at US- . If you are 
unfamiliar with this SIGAD, it is equivalent to a TS//NF SIGAD that cannot be 
mentioned in this PowerPoint. You can contact the POC of this brief for more 
information. 
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Web Browsing (Exploit with quantum 

• The concept man-on-the-side) 

* QUANTUM is a man-on-the-side capability. If your target has a selector 
that is active in the last 14 days, vulnerable to the QUANTUM technique, 
and seen by an 5SO site that has QUANTUM capabilities, then there might 
be the opportunity to detect that communication in real-time and piggy 
back with the requested content back into the target's network and 
implant the host, 

* QUANTUMTHEORY can be used only if a TAO Project is set up (must 
coordinate with your R&T Analyst) 

* QUANTUM NATION can be used regardless of a TAO Project (TOPI does the 
tasking in Target Profiler) 

* The biggest difference is QUANTUMTHEORY deploys a stagel implant 
called VALIDATOR (soon to be COMMONDEER) and QUANTUM NATION 
deploys a stageO implant called SEASQNEDMOTH (SMOTH), SMOTHs die 
within 30 days of deployment unless requested to extend the life. The 
exploit technique is the same. 
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What is QUANTUM? 



QUANTUM Generic Animation - High Level of How It Works 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 



1. Target togs into his 
Yahoo account 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 



1. Target logs into his 
Yahoo account 

%— 

Target 




Internet Router 




Yahoo’s 
Web Server 



2 . SSO site sees the 
QUANTUM tasked Yahoo 
selector's packet and forwards 
it to TAO's FOXACID Server 




What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 



4. Yahoo server receives the 
packet requesting email content 




TAO FOXACID 



Server 

3. FOX ACID injects a FOXACID urt 
into the packet and sends it back to 
the target’s computer 




What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 




Target 



6. The target’s Yahoo webpage is 
Loaded but in the background the 
FOXAC1D URL loads which 
redirects to (he FQXACID Exploit 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 
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TAG F OXACID 
Server 

7. If the browser is exploitable 
and the PSP i$ safe, FOXACID 
deploys a Stage 1 implant back 
to the target 




What is QUANTUM? 



QUANTUM Generic Animation - High Level of How It Works 
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Web Server 



Target Implanted! 
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TAO F OXACID 
Server 

7. If the browser is exploitable 
and the PSP is safe, FQXACID 
deploys a Stage 1 implant back 
to the target 





Internet Router 






QUANTUM Capabilities - NSA 



(TS//SI//REL) NSA QUANTUM has the greatest success against <yahoo>, <facebook > 1 
and Static IP Addresses. New QUANTUM realms are often changing, so check the GO 
quantum wiki page or the quantum spy Space page to get more up-to-date news, 

NSA QUANTUM is capable of targeting the following realms: 

• * IPv4_public • mailruMrcu 

• • alibabaForumUser * msnMailToken64 



doubleclickID 

emailAddr 

rocketmail 



> • qq 

• face book 

• simbarUuid 

• twitter 

• yahoo 

• yahooBcookie 

• ymail 

• youTube 

n64 • WatcherlD 



hiSUid 

hotmailClD 

linkedin 

mail 

mailruMrcu 



msnMailToken64 
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QUANTUMTHEORY - GCHQ 

If a Partnering Agreement Form (PAF) is set up with GCHQ for 
the CNO project, then the R&T Analyst can utilize GCHQ 
QUANTUMTHEORY to include additional capabilities such as: 

• • ALIBABA • AOL 

• • BEBO_EMAIL • DOUBLECLICK 

• • FACEBOOKJZUSER • GOOGLEPREFID 

• • GMAIL • HI5 

• • HOTMAIL • LINKEDIN 

• • MAILRU • MICROSOFT_MUID 

• • MICROSOFT_ANONA • RAMBLER 

• • RADIUS • SIMBAR 

• • TWITTER • YAHOO_B 

• • YAHOOC/Y • YANDEX_EMAIL 

■•YOUTUBE -IP Address 

More information on: https://wiki.gchq/ /QUANTUM BISCUIT 



If you cannot get to the link try: http:// 
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QUANTUM SIGDEV - QFDs 

(TS//SI//REL) Find all Selectors associated to your target (Yahoo, 
Yahoo B Cookies, Facebook, Hotmail, etc) using Marina, NSA or 
GCHQ QFDs. 



NSA SATC QFDs: 

iMl 



ALTEREGO QFD: 

GCHC 



l 

Queried Selector 

CitUi.l64> 

cim,lG4> 

<itue.l£4> 



DOGCOLLAR QFD: 



Selector 

<fs^Q0b 



d|" ™ fl jrfl: 
twm4 *t mi 



Alternate Selector 
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■LUnjj.:' 
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Queried 
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Selector 
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Degree 


Degree 


4 


5 



67 



l 

430 



Intersection 

2 

2 

61 



Score 

11-100) 



40 

60 

59 



¥ 

MSS' Bis 



BirichnieiutVadiie 



ObservaciDns FirsfSttnDate Last Seen Date 

429 2012 /M 2013 / 03/27 



Stop to Step 5 once you have all of your selectors.,, 
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QUANTUM SIGDEV - Marina 

Step 1 ; Skip to Step 5 if you used the QFDs to identify alternate selectors 

4 (TS//SI//REL) If you do not use the GCHQ or NSA QFDs you can use Marina. Run a 
Marina S elector/! de ntifier Profile (Federated) search for a 3 month range to look for 
additional selectors. 
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4 (TS//SI//REL) Once the query finishes, look at the Equivalent IDs section. This will show 
you other selectors that your target is using. This is determined by linking content 
(logins/email registrations/etc). It is worth verifying that these are indeed selectors 
associated to your target, NSA quantum works best against <yahoo> and 
<facebook>. Although, it is worth making note of a <gmail> selector for possible GCHQ 
QUANTUM support or for your own notes. 
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4 (TS//SI//REL) If your search was on a <yahoo> email address, then click on Machine 
IDs and look for a recent <yahooBcookie>> YahooBcookie's are unique to a specific 
computer and can hold other <yahoo> addresses that are being logged into on that 
computer as long as the user does not dear browser cookies. If you see multiple 
<yahooBcookie> pick the most recent Last Heard date. Also higher the Num Heard is, 
the more likely that selector does not change. 
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Unique Selectors Found: 

i (Known Selector) 

? @gmail.corn<google> (New Selector) 

? ■■ p* <yahooBcookie> (New Selector) 
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New <google> selector 
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(TS//SI//REL) Since @gmailcom<googIe> is a new selector, you will want to 

do a Marina Selector Profile query on St to see if there are additional accounts 
associated to the target. Remember NSA QUANTUM cannot target the <google> 
selector, 



(TS//SI//REL) 
You cart do 
this by 

clicking on the 
selector, scroll 
down to Selector 
Profile, and click 
Range 
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(TS//SI//REL) Change the query to search for the fast 3 Months and click SUBMIT 
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(TS//SI//REL) Once the query finishes, look at the Equivalent IDs section and make 
note of any new <yahoo> J <hotmail>, <yahooBcookie> ( and <facebook> selectors and 
do the same process to identify additional selectors. 
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Unique Selectors Found From Both Searches: 

<yahoo> (Known Selector 

) 

@ g mai I . c o m<google> 
mP <yahooBcookje> (New Selector) 
^H^^H<facebook> (New Selector) 
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(TS//SI//REL) Once you have a list of your selectors) r you will want to look at each one 
separately to check for the likelihood of successfully exploiting your tarqet via NSA 
QUANTUM. We are checking to see if the target itself is seen at US- and if it is active. 

(TS//SI//REL) First we want to run a Marina Active User/Presence (Federated) search on 

<facebook> for the past 14 days. 
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4 (TS//SI//REL) You wifi either have results or not have results. The key is to look at the 
SIGAD for the results and if the SIGAD is capable of doing QUANTUM then you most 
likely have a vulnerable target! To check for SfGADs that NSA and GCHQ QUANTUM 
can target, type GO QUANTUM in your browser, if GCHQ QUANTUM is needed, then 
work with your R&T Analyst to follow the appropriate steps on the wiki to set up a PAR 

4 (TS//SI//REL) You wifi want to look at the Marina results and make note of the most 
frequent SIGAD/1P ClDR for each Active User/Presence (Federated) query 

1) Selector 

a) SIGAD 

b) Active User IP ClDR - The ClDR will be added to the TLN's Whitelist. 

-ATLN f s Whitelist is a list containing the IP CIDRs your target uses. It is where the 

FOXACID server will only continue with exploitation if the external IP Address of 
the target/redirection is on the Whitelist for the TLN your R&T Analyst requests. 
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Is My Selector Tasked for 

QUANTUM? 

If you sent your R&T analyst a selector to task for 
QUANTUMTHEORY and you want to see if it has been tasked yet, 
you can enter the selector in Target Profiler and if you see "tasked 
for survey" and the Technique to be QUANTUMTHEORY or 
QUANTUM NATION then it is tasked! You can also see when the last 
FOXACID redirection took piace. 

<yahoo> reieiveii Email |j 01 11:08.31 Z E? 



|| vulnii-r’abl^ 

O Jrafkad for survey 
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© 



Tasked for Survey 



Lu lifts 
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QUANTUMNATION 

QUANTUM NATION uses new TAO CNE tradecraft and automation to drive broad 
scale initial access, specifically an SSG cloud-analytic to identify selectors in SSO 
passive collection that are viable for end-point access, and the use of lightweight 
CNE implants to obtain initial access and survey data delivered to the TOPI offices 
via corporate SIGINT repositories. For More Information on QUANTUMNATION check 
the QUANTUMNATION wiki page 



Target Profiler now shows if a selector is vulnerable to a QUANTUM exploit. !f your 
target is valid for QUANTUMNATION, A "Vulnerable 11 link in Target Profiler will 
appear Simply click the link that sends an email to request QUANTUMNATION 
tasking. 



<f acebook> wiHi ■ VLI1 3-Feb-2Z 13^1- g o z t? 



vulnerable' 



a i ^ 

VulnerabllitleE 
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¥ul| kb^r^tFln- ly ; 'J «i.I :,i8i. P? ( L 2 tfiyi * U C> ) 

T U»r Av«t;M«Eilla/5.D fiP«d; CPU CS 5_D_I lik* OS £j App l«W*bKitf 534.46 C^HTHL Ilk ■ Varmn/S.1 MtfJbiWP*405 





Note: QUANTUMNATION and standard QUANTUM tasking results in the same 
exploitation technique. The main difference is QUANTUMNATION deploys a stage 0 
implant and is able to be submitted by the TOPI. Any ios device will always get 
VALIDATOR deployed. 
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4 (TS//SI//REL) Once you have a selector, SIGAD, and IP CIDR, you are ready to start 
the process for a FOXACID TLN and Tag request, 

4 (TS//SI//REL) Depending on the teams, either an R&T analyst or the Branch Chief can 
create a TIN (Twisty Lobby Number), contact your Branch Chief for information on 
creating a TLN for each selector you want to target, 

4 (TS//SI//REL) Note; You will need 1 TLN and 1 FOXACID Tag per selector you task with 
QUANTUM, 




- -I 



Step 8: 

- (TS//SI//REL) Once you have a TLN, you will need to submit a FOXACID Tag request. 
d (TS//SWREL) Go to https:/ nsa/cgi-bin/* 1 and fill out the appropriate 

information in the top and within the body of the ticket update this information accordingly. Here is an example: 

CT or Mon-CT: Nori-CT 
Second Party/ Partnering: No 
Country Region/TVpe: 

FISA Target: No 
T ype of O p: QUANTUM 
Utilising WPTT ; No 
Project Name: 

TLN: 12345 ° Insert Your TLN 

- IP Range: ° Insert Your Active User IP CIDR / WHITEUST 

MAC Addresses: Unknown 

vai 

Start DaML201 30401 

- MSQ Support: No 
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4 (TS//SI//REL) Once the ticket is completed, you will receive an email with the FOXACID 
Tag for your TLN. 

4 (TS//SI//REL) Go to https:// .nsa.ic.gov, /index.php and 

fill out the appropriate information in the form to task your selector and tag for 
QUANTUM 

4 (TS//SI//REL) Once your selector is tasked for QUANTUM you will see the status 
changed to complete* 

4 (TS//SI//REL) The last step it to monitor the TLN in FOXSEARCH 

https:/^Bjj(BPBP.nsa to look for 

redirections and update the plugins or WHITELIST if needed. 

4 (TS//SI//RELJ De-task your QUANTUM request when you hook your target! 
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